The first group of federally-certified cloud computing service providers will be announced in May, a General Services Administration official said Friday.
Dave McClure, GSA’s associate administrator of the office of citizen services and innovative technologies, said the list would be available at the end of next month, FedScoop reports.
McClure made the comments during the first public meeting of the Federal Risk and Authorization Management Program’s Joint Authorization Board.
JAB is responsible for assessing contracts, defining and maintaining security authorization requirements and approving accreditation criteria for third-party assessment organizations.
Board members present at the first meeting included McClure, GSA Chief Information Officer Casey Coleman, Homeland Security CIO Richard Spires, and David DeVries, the defense deputy CIO for information management, integration and technology.
DeVries stood in for Pentagon CIO Teri Takai.
Mclure said the board is using a rigid process to authorize companies, including pre-established National Institute of Standards and Technology baseline standards and controls.
McClure said the program should collect FedRAMP information in a single place for agency CIOs to easily access and understand security issues.
Additional guidance for cloud providers in regard to continuous monitoring solutions will come within the next month or two in preparation for the full program launch, Spires said.
DeVries said he expects the security controls will be built on and will act as a guideline for future controls, the report said.
The board is tasked with creating and maintaining government-wide cloud security standards and will continue to issue certifications.
However, it is up to agency CIOs whether they operate the certified cloud packages, according to Coleman.
Coleman said the provisional authority is expected to be an 80-to-90 percent solution, speeding time to operation if the agency decides it fits their requirements and chooses to go that way.
DeVries said during the meeting that the program’s full capabilities will not be realized for more than a year.